Flashcards in Risk Assessment (c)(iii) and (d) Deck (9):
What is a "Walkthrough"?
- Act of tracing a transaction through org records, procedure and business processes
- Auditor's objective is to understand transaction flow (how initiated, authorized, recorded, processed, and reported)
- ID when control is missing, operating ineffectively or not designed properly
- Nontechnical approach to learning how a particular process or transaction works
- Considered a prelim step in overall testing process
- Based on the info and evidence gathered from walkthroughs, IT auditor s/b able to assess risks w/ business processes and controls relate to IT
What are may be included in "Walkthrough" procedures?
- Inspect relevant doc
- Re-perform controls
- Auditor should follow AS5 recommendations about combining
observation, inquiry, and review of relevant documents as part of the walkthrough
When are "Walkthrough" required?
- Required when certifying financial reporting controls under SOX 404
Based on concept of "Key Controls", when do Controls become "Relevant"?
(1) If controls are associated w/ FS data or financial reporting processes
(2) If controls are IT-related or IT-dependent
(3) If controls are related to RMM
What are 2 focus IT Auditor has on Automated Controls?
(1) Automated controls are key objective in IT audit
(2) Effective automated controls can be leveraged to reduce substantive testing in FAP phase of financial audit
- Automated controls s/b tested when there is an expectation of operating effectiveness for them, when substantive procedures alone do not provide sufficient evidence, and when there is a
lack of audit trail other than through IT or digital data
What are methods to ID Key Controls?
- IT auditor ID's key controls associated w/ relevant systems, applications, and specifically business processes
- Methods: Walkthroughs, interviews, observation, review of key documents, flowchart of business processes, financial systems and data flows
Determine Relevant Business Processes and Controls to Review
(1) IT auditor ID's Key Controls
- Associated w/ relevant systems, applications, and specifically business processes via walkthroughs, flowcharts
(2) ID Relevant Controls Embedded in Automated Business Processes
(3) Benchmark Relevant Automated Controls
- Measure and evaluate the “strength” (reliance) of control based on benchmark (the designed purpose of the control)
What is "Risk of Material Misstatement"?
- RMM = IR + CR
- Risk that an event, process or activity will lead to material misstatement and not be prevented/detected timely
- Includes acct balances, classes of transactions, disclosures, mgmt assertions
- Also includes risks from IT of entity